Privacy Advisor

Ask the Privacy Expert

August 1, 2007

Readers are encouraged to submit their questions to media@privacyassociation.org This e-mail address is being protected from spam bots, you need JavaScript enabled to view it . We will tap the expertise of IAPP members to answer your questions.

Stewart Room

Q: How does the recent Article 29 Working Party Opinion on the meaning of "personal data" affect our understanding of the scope of the European Data Protection Directive?

A: Opinion 4/2007 "on the concept of personal data" (WP 136) was adopted by the Article 29 Working Party on June 20. Although it does not contain anything new as far as "seasoned" European data protection professionals are concerned, from the UK perspective it can be regarded as being a landmark publication, because it leads to only one conclusion about the decision of the Court of Appeal in the well-known case of Durant v. Financial Services Authority, namely that the Court of Appeal's interpretation of the meaning of personal data is unsustainable. How the UK courts will go about reconciling Durant with Opinion 4/2007 remains to be seen.

For data protection professionals working in the U.S. and elsewhere, the opinion may well prove to be very helpful, as it addresses some common misunderstandings about the meaning of "identifiable"; to summarize, one of the key components within the meaning of personal data is that it should relate to an "identified or identifiable" natural person.
From the writer's own experiences in private practice, it can be said that many data controllers labor under the misapprehension that identifiability means that data should be capable of identifying a person by name. The opinion tackles this misapprehension head on, saying that "it should be noted that, while identification through the name is the most common occurrence in practice, a name may itself not be necessary in all cases to identify an individual."

The essence of identifiability is the ability to distinguish one person from another, so that, for example, one person can be singled out for special treatment. This "singling-out" component can be satisfied without the need for a name in certain cases, with one of the most obvious being precision online marketing where data relating to browsing patterns are analyzed in order to serve-up bespoke advertising content to the user of the terminal equipment. The precision marketing company may never know the name of the user of the terminal equipment, but the user is still singled out for special treatment all the same. In this kind of scenario the Data Protection Directive is likely to apply.

Of course, a closely related issue is anonymization, because if data cannot single out a person for special treatment, it will not satisfy the identifiability component. Many would-be data controllers strive to take advantage of anonymization techniques to take themselves outside the scope of the data protection regime.

The opinion closely scrutinizes the concept of anonymization, making distinctions among pseudonymization, key-coded data and truly anonymous data. The essence of pseudonymization is the disguising of identities, but if the disguise can be unravelled so that a person can be identified, the directive is likely to apply. Key-coded data is a form of pseudonymization, where a person is identified by a code rather than by name and the key is held separately. The issue with key-coded data is the risk of the code and the key being combined so as to identify the person concerned. If the risk is a real one, the directive is likely to apply. True anonymization speaks for itself.

The opinion deals with much more than identification. In fact, identification forms the third part of the discussion, and the opinion addresses the concepts of "any information," "relating to," "identified or identifiable" and "natural person."

The discussions about the meaning of "any information" and "relating to" go to show that the directive is intended to have a wide scope and so in most cases of confusion the analysis of the directive's application is likely to turn on identifiability.

Returning to the opening comments about the Durant case, it is the discussion of the meaning of "relating to" that is most relevant for U.S. data controllers operating in the UK, because the Court of Appeal in Durant built the largest part of its analysis around these words, holding that files held by the Financial Services Authority did not relate to Mr. Durant, but to Mr. Durant's complaint about a UK bank. To many commentators, this was a distinction without a difference, which the opinion now confirms.

Stewart Room is a Partner in the Privacy and Information Law Group at Field Fisher Waterhouse Solicitors. He is the author of Data Protection and Compliance in Context (November 2006 ISBN 1-902505-78-6) and the Chairman of the National Association of Data Protection Officers. He can be reached at stewart.room@ffw.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

This response represents the personal opinion of our expert (and not that of his/her employer), and cannot be considered to be legal advice. If you need legal advice on the issues raised by this question, we recommend that you seek legal guidance from an attorney familiar with these laws.